Eureka HTB Walkthrough

Welcome to another Hack the Box walkthrough. In this blog post, I have demonstrated how I owned the Eureka machine on Hack the Box. Hack The Box is a cybersecurity platform that helps you bridge knowledge gaps and prepares you for cyber security jobs.

You can also test and grow your penetration testing skills, from gathering information to reporting. If you are new to this blog, please do not forget to like, comment and subscribe to my YouTube channel and follow me on LinkedIn for more updates.

About the Machine

Eureka is a hard Linux machine which incorporated a password leakage in heapdump and a vulnerability in the Eureka service on the intranet port, by registering a fake microservice instance and obtaining user credentials. The Linux machine also feature an array comparison vulnerability by modifying a log file to achieve privilege escalation.

The first step in pwning the Eureka machine like I have always done in my previous writeups is to connect my Kali Linux terminal with Hack the Box server. To establish this connection, I ran the following command in the terminal:

sudo openvpn eureka.ovpn

After the connection has been set up, I started the target machine, and I was assigned an IP address of 10.10.11.66.

I kicked things off with an Nmap scan to see what services the target was running:

nmap eureka.htb -sV -A

The scan quickly revealed that the box was alive and exposing just two services:

• Port 22 (SSH) - running OpenSSH 8.2p1 on Ubuntu. While SSH is always useful for eventual access, it typically requires valid credentials or a private key, so I noted it down for later.
• Port 80 (HTTP) - served by nginx 1.18.0. Interestingly, the HTTP title indicated a redirect to another virtual host: http://furni.htb/. This suggested the presence of a vhost setup, and likely meant I’d need to add furni.htb to my /etc/hosts file before I could explore the web application properly.

The OS fingerprinting also hinted at the target running a Linux 5.x kernel, with possible traces of MikroTik RouterOS signatures (likely a false positive due to overlapping TCP/IP fingerprints). The traceroute confirmed the host was just two hops away on the HackTheBox network.

At this point, the real lead was the web server and its furni.htb virtual host, which looked like the intended attack surface. SSH would remain on the backburner until I uncovered credentials through web exploitation or enumeration.

Since the Nmap scan revealed that the web server on eureka.htb was redirecting to furni.htb, I suspected the target was using virtual hosting. By default, my system wouldn’t know how to resolve that hostname, so I had to manually map it to the target’s IP address.

I edited the /etc/hosts file to include both domains:

sudo nano /etc/hosts

and added the following line:

10.10.11.66 eureka.htb furni.htb

This ensured that whenever I visited http://furni.htb/ in my browser, it would resolve directly to the machine’s IP on the HackTheBox network. With this step complete, I was ready to start enumerating the web application hosted on furni.htb.

With the furni.htb domain mapped in /etc/hosts, I browsed to the site and was greeted with what appeared to be a fully functional furniture e-commerce platform.

The landing page branded itself as “Furni. – Modern Interior Design Studio”, showcasing different categories of furniture, a shopping cart, and even a checkout process. From the look of it, the site was built to mimic a legitimate online store.

Key features stood out immediately:

• User Registration & Login - suggesting some form of authentication system that could potentially be abused if implemented insecurely.
• Shopping Cart & Checkout - users could add items to their cart and proceed with purchases.
• Dynamic Content - several links like Shop, About Us, Services, Blog, and Register indicated that the site might have multiple endpoints worth enumerating.

At this stage, however, nothing on the front page appeared directly vulnerable. The registration and purchase functionality worked as expected, but didn’t immediately reveal an exploit vector. This meant the real attack surface was likely hidden deeper — either in unlisted directories, API endpoints, or backend services tied to the site.

The next logical step was to begin enumerating directories and subpages with a tool like dirsearch, ffuf or gobuster, hoping to uncover something the developers hadn’t meant to expose.

dirsearch -u http://furni.htb/ -e php,html,txt -t 50

The scan turned out to be very fruitful. Alongside the expected pages like /about, /shop, /services, /register, and /login, I stumbled upon something far more interesting:

• A whole set of Spring Boot Actuator endpoints under /actuator/. These are debugging and monitoring routes that developers usually forget to lock down. The scan revealed endpoints such as /actuator/env, /actuator/beans, /actuator/configprops, /actuator/mappings, /actuator/metrics, and even /actuator/heapdump.
• These are goldmines in CTFs (and real-world pentests) because they often expose sensitive information about the application’s environment, configuration, or even memory contents.
• The /blog directory also stood out, but it seemed to just host regular content with no immediate vulnerabilities.
• Shopping features like /cart, /checkout, and /comment redirected unauthenticated users back to /login, confirming that these actions required valid credentials.

The big takeaway here was the exposed Spring Actuator panel. Among the various endpoints, /actuator/env looked particularly promising since it often leaks environment variables - including database credentials, API keys, or internal service URLs. Even more striking was /actuator/heapdump, which produced a massive 76MB file - a strong indication that memory contents of the running application could be downloaded.

At this point, I knew the path forward: enumerate the Actuator endpoints to hunt for secrets that could help me move deeper into the system.

With the exposed Spring Boot Actuator endpoints in sight, I decided to start with /actuator/env. This endpoint is known for dumping application environment variables and configuration values.

Visiting:

http://furni.htb/actuator/env

returned a detailed JSON output containing the server’s environment configuration. Buried within the noise were sensitive values - things like database connection strings, usernames, and API keys. This was a clear indication that the developers had left debugging enabled in production. Such information could easily be leveraged to gain deeper access into the system.

Next, I turned to the most dangerous of the lot:

http://furni.htb/actuator/heapdump

This endpoint allowed me to download a massive 76MB .hprof file. A heap dump is essentially a snapshot of the application’s memory at runtime, and analyzing it can reveal plaintext secrets - usernames, passwords, session tokens, and other sensitive data that were loaded in memory at the time of the dump.

In a real-world attack, this kind of leak would be critical, as an attacker could mine the dump for authentication credentials or other exploitable tokens. In the context of this CTF, it was clear that the heap dump would contain something I could use to pivot further into the machine.

With the heap dump in hand, I set out to mine it for sensitive information. Heap dumps are memory snapshots of a running Java application, so it’s common to find credentials, API tokens, or session data lingering inside.

To keep things simple, I used the strings command to extract readable text from the dump and then grepped for anything related to passwords:

strings heapdump | grep -i "password="

Sure enough, this paid off quickly. Among the output, I spotted a clear-text credential pair:

{password=0sc@r190_S0l!dP@sswd, user=oscar190}!

This gave me a username: oscar190 and a password: 0sc@r190_S0l!dP@sswd.

It looked like I had struck gold - valid credentials that could be reused either on the website’s login form or, even better, through SSH access since port 22 was open. The next step was obvious: try these credentials against the available services to see where they would get me in.

Armed with the credentials from the heap dump (oscar190 : 0sc@r190_S0l!dP@sswd), I moved on to test them against the SSH service exposed on port 22. With the credentials oscar190 : 0sc@r190_S0l!dP@sswd in hand, I attempted a direct SSH connection to the target:

ssh oscar190@furni.htb

On the first connection, SSH prompted me to verify the host’s fingerprint. Since this was my initial login to the box, I confirmed the authenticity and permanently added furni.htb to my list of known hosts.

After entering the password, I successfully authenticated as oscar190 and landed on a shell running Ubuntu 20.04.6 LTS with kernel 5.4.0-214-generic.

At this stage, I had achieved an initial foothold on the target as a low-privileged user. The next phase of the attack would focus on enumerating the system to uncover privilege escalation paths — such as checking for sudo permissions, cron jobs, misconfigured services, or sensitive files left behind by the developers.

I dug a little deeper into the heap dump, searching for anything referencing the port I had tunneled earlier (8761). Running strings heapdump | grep 8761 -n revealed multiple references to the local Eureka endpoint - and one entry jumped out immediately:

strings heapdump | grep 8761 -n 227464:P`http://localhost:8761/eureka/ 344576:http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/! 366651:http://localhost:8761/eureka/! 442796:http://localhost:8761/eureka/! 450355:Host: localhost:8761 450870:http://localhost:8761/eureka/! 451153:Host: localhost:8761

This told me two important things at once: the application was talking to a local Eureka service on localhost:8761, and there was an embedded credential (EurekaSrvr:0scarPWDisTheB3st) used to authenticate to that service. Other matches in the output simply confirmed repeated requests and Host: localhost:8761 headers, showing that the service was actively contacted by the app. 

Because I already had an SSH session and had forwarded local port 8761 to my machine earlier, this was a perfect pivot: I could now point my browser or curl at http://localhost:8761/eureka/ and try the discovered service account (EurekaSrvr / 0scarPWDisTheB3st). In short — the heap dump didn’t just leak a web user’s password, it exposed internal service credentials and a direct path into the application’s service registry. That’s the exact kind of lead that accelerates the rest of the box takeover.

With the Eureka credentials discovered in the heap dump (EurekaSrvr : 0scarPWDisTheB3st), I could interact directly with the service registry. I used curl with basic auth to POST a registration payload to the Eureka API and register an instance of USER-MANAGEMENT-SERVICE:

curl -X POST \ http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/apps/USER-MANAGEMENT-SERVICE \ -H 'Content-Type: application/json' \ -d '{ "instance": { "instanceId": "USER-MANAGEMENT-SERVICE", "hostName": "10.10.11.66", "app": "USER-MANAGEMENT-SERVICE", "ipAddr": "10.10.11.66", "vipAddress": "USER-MANAGEMENT-SERVICE", "secureVipAddress": "USER-MANAGEMENT-SERVICE", "status": "UP", "port": { "$": 8080, "@enabled": "true" }, "dataCenterInfo": { "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo", "name": "MyOwn" } } }'

a

b

c

a

b

c

d

e

f

1.

2.

3.

4.

5.

6.

z

a

b

c

d

e

f

If you enjoy reading my walkthrough, do not forget to like, comment, and subscribe to my YouTube channel and also connect with me on LinkedIn. Also, don't forget to turn on post notification on my YouTube channel and medium to get notification as soon as I write.

1. Subscribe to my YouTube channel: https://www.youtube.com/@BoltechTechnologies1
2. Follow me on LinkedIn: https://www.linkedin.com/in/isiaq-ibrahim-468588156/
3. Follow me on Medium: https://medium.com/@boltech
4. Follow me on Twitter: https://x.com/Isiaq_Ibrahim99
5. Follow me on Twitter: https://x.com/BoltechNG
6. Buy me a coffee: https://buymeacoffee.com/boltechtechnologies

Keywords:

eighteen htb writeup

eighteen htb walkthrough

eighteen htb

htb eighteen writeup

eighteen writeup

htb eighteen

htb eighteen walkthrough

hackthebox eighteen writeup

eighteen walkthrough

gavel htb

eighteen hackthebox writeup

eighteen writeup htb

eighteen hackthebox

gavel htb writeup

eighteen hack the box

hack the box eighteen

gavel writeup

hackthebox eighteen

htb gavel writeup

eighteen walkthrough htb

eighteen hack the box walkthrough

eighteen.htb writeup

hackthebox eighteen walkthrough

hack the box eighteen walkthrough

eighteen.htb

eighteen hackthebox walkthrough

hack the box eighteen writeup

dc01.eighteen.htb

eighteen write up

eighteen hack the box writeup

eighteen htb machine

htb "eighteen" writeup

"overwatch.htb"

htb gavel

htb gavel walkthrough

"eighteen.htb"

eighteen htb write up

pterodactyl htb walkthrough

hackthebox gavel writeup

"eighteen" hackthebox writeup

htb eighteen write up

eighteen machine htb

gavel htb walkthrough

"eighteen" htb writeup

gavel walkthrough

signed htb

facts walkthrough

gavel hackthebox writeup

eighteen.htb walkthrough

gavel htb write up

"eighteen" htb walkthrough

htb "eighteen"

htb signed

facts hackthebox writeup

cctv hackthebox walkthrough

gavel.htb

overwatch htb walkthrough

gavel hack the box

nanocorp walkthrough

hackthebox gavel

eighteen writeup hackthebox

gavel hackthebox

"overwatch" htb writeup

gavel writeup htb

writeup eighteen

hackthebox "eighteen"

"eighteen.htb" writeup

gavel hackthebox walkthrough

wingdata htb

facts htb writeup

hack the box cctv

cctv hack the box

overwatch walkthrough htb

signed.htb

htb wingdata write up

"giveback" htb writeup

"monitorsfour"

htb gavel sql injection payload inventory.php

hack the box gavel sql injection payload inventory.php

htb gavel walkthrough sql injection payload inventory.php

hack the box gavel sql injection payload inventory.php 2025

overwatch htb writeup

htb gavel walkthrough pdo injection sort parameter

hack the box gavel sql injection payload 2025

htb gavel admin password or hash

htb gavel sql injection payload inventory.php sort

htb gavel walkthrough sql injection inventory.php payload

hack the box gavel sql injection inventory.php payload 2025

htb gavel machine walkthrough pdo injection sort parameter

htb gavel walkthrough sql injection inventory.php

htb machine editor xwiki simplistcode pro

hack the box gavel walkthrough sql injection payload

hack the box gavel walkthrough sql injection payload inventory.php

hackthebox eighteen machine walkthrough

htb gavel walkthrough sql injection payload

nanocorp htb

hackthebox gavel sql injection payload inventory.php

gavel.htb/admin.php

hack the box gavel sql injection inventory.php payload

htb eighteen machine walkthrough

htb overwatch walkthrough

"gavel.htb"

hack the box gavel walkthrough pdo injection

facts htb walkthrough

hack the box eighteen machine walkthrough

htb gavel exact sql injection payload inventory.php

facts.htb:54321

eighteen.htb:5985

htb overwatch writeup

"browsed.htb"

gavel 2.0 exploit

nanocorp htb writeup

hackthebox overwatch writeup

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133" password

gavel.htb/includes

overwatch hackthebox writeup

hercules htb writeup

editor htb

gavel-util

signed htb walkthrough

overwatch writeup htb

guardian htb writeup

overwatch hackthebox walkthrough

gavel htb admin password or hash

"hack the box" "eighteen" writeup

monitorsfour.htb:5985

eighteen htb github

cctv htb writeup

editor htb walkthrough

"eighteen" htb

hercules htb walkthrough

conversor htb walkthrough

pterodactyl htb writeup

"browsed" htb writeup

htb eighteen admin password iloveyou1

gavel.htb/rules

overwatch.htb:5985

htb eighteen privilege escalation walkthrough

htb walkthrough

eighteen.htb hackthebox

hack the box gavel

"pirate.htb"

hercules htb

overwatch hack the box writeup

pterodactyl hack the box walkthrough

nanocorp writeup

overwatch.htb writeup

htb monitorsfour

pterodactyl hackthebox walkthrough

fluffy htb

pterodactyl walkthrough htb

hackthebox hercules

htb browsed

"dc01.eighteen.htb"

32940defd3c3ef70a2dd44a5301ff984c4742f0baae76ff5b8783994f8a503ca

ina2we6harj2gaw!

cctv hackthebox

hackthebox "eighteen" writeup

cctv hackthebox writeup

hack the box gavel sql injection payload inventory.php sort

"eighteen" hack the box writeup

gavel writeup hackthebox

gavel.htb/.git

htb 18

giveback walkthrough

hackthebox cctv

hackthebox gavel walkthrough

hackthebox eighteen machine

htb guardian writeup

htb cctv walkthrough

htb editor writeup

hackthebox facts writeup

nanocorp htb walkthrough

cctv htb

overwatch hack the box walkthrough

pterodactyl hack the box

pterodactyl hack the box writeup

htb cctv

hackthebox nanocorp writeup

overwatch writeup hackthebox

giveback htb writeup

hackthebox airtouch writeup

htb pterodactyl walkthrough

hackthebox overwatch walkthrough

htb overwatch

htb nanocorp writeup

browsed htb writeup

overwatch htb

pterodactyl htb

htb pterodactyl

browsed htb walkthrough

htb artificial

htb topology writeup

topology htb writeup

"0673ad90a0b4afb19d662336f0fce3a9edd0b7b19193717be28ce4d66c887133"

989c5a8ee87a0e9521ec81a79187d162109282f0

securevision cctv exploit

$2y$10$cmytvwfrnt1xfqsitsjrve/apxwxcifqcurnm5n.rhlulwm0jrtbm

hackthebox facts walkthrough

hack the box wingdata

signed walkthrough

writeup wingdata

htb gavel write up

"giveback.htb"

cctv.htb

cctv htb walkthrough

cctv.htb writeup

editor.htb:8080

htb cctv writeup

giveback htb

htb interpreter walkthrough

hercules writeup

monitorsfour.htb/controllers

wiki.editor.htb

monitorsfour.htb/robots.txt

monitorsfour htb writeup

facts hack the box writeup

editor.htb

nanocorp.htb

conversor walkthrough

hackthebox pterodactyl walkthrough

htb edit

hack the box eighteen machine

giveback htb walkthrough

browsed htb

htb hercules writeup

pterodactyl.htb walkthrough

browsed.htb writeup

planning htb

monitorsfour htb walkthrough

overwatch htb write up

htb fluffy

overwatch hackthebox

hackthebox monitorsfour

htb nanocorp

htb nanocorp walkthrough

nanocorp hackthebox

facts hackthebox walkthrough

pterodactyl writeup htb

"facts.htb"

overwatch htb machine

artificial htb

browsed htb write up

hackthebox pterodactyl

pterodactyl hackthebox writeup

htb pterodactyl writeup

hackthebox nanocorp

htb browsed walkthrough

htb planning

browsed walkthrough